CN114285835A - HTTP request data processing method and system - Google Patents
HTTP request data processing method and system Download PDFInfo
- Publication number
- CN114285835A CN114285835A CN202111651266.9A CN202111651266A CN114285835A CN 114285835 A CN114285835 A CN 114285835A CN 202111651266 A CN202111651266 A CN 202111651266A CN 114285835 A CN114285835 A CN 114285835A
- Authority
- CN
- China
- Prior art keywords
- http
- request data
- client request
- data
- http client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title description 19
- 230000004044 response Effects 0.000 claims abstract description 122
- 238000001514 detection method Methods 0.000 claims abstract description 118
- 238000012545 processing Methods 0.000 claims abstract description 98
- 238000000034 method Methods 0.000 claims abstract description 68
- 230000008569 process Effects 0.000 claims abstract description 26
- 230000000903 blocking effect Effects 0.000 claims abstract description 13
- 238000004458 analytical method Methods 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 9
- 230000009191 jumping Effects 0.000 claims description 8
- 230000000694 effects Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Abstract
The embodiment of the application provides a method and a system for processing HTTP request data, and relates to the technical field of network security. The method comprises the following steps: acquiring HTTP client request data; performing security detection on HTTP client request data to generate a security detection result; judging whether the HTTP client request data is attacked or not according to the security detection result; if the attack exists, blocking the HTTP client side from requesting data; if the attack does not exist, inquiring the URL information of the HTTP client request data to generate an inquiry result; forwarding HTTP client request data to a target server; executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of HTTP response data; and carrying out security detection processing on the HTTP response data, and updating the URL information to a preset URL cache database. The method can achieve the technical effect of improving the processing efficiency of the HTTP request data.
Description
Technical Field
The application relates to the technical field of network security, in particular to a method and a system for processing HTTP request data.
Background
Currently, a Web Application level intrusion prevention system (WAF), also called Web Application Firewall or WAF, is a product that specially provides protection for Web applications by executing a series of security policies for hypertext Transfer Protocol (HTTP) or hypertext Transfer security Protocol (HTTPs). When the WAF is in a transparent deployment mode, the HTTP message passing through the equipment is recombined and subjected to protocol analysis, and then the application layer HTTP data is subjected to protocol verification and rule processing by utilizing a rich rule base, so that the malicious attack request can be resisted.
In the prior art, a WAF recombines Transmission Control Protocol (TCP) traffic passing through a protected site of a device according to a Protocol, a source IP, a source port, a destination IP, and a destination port quintuple, performs Protocol analysis on application layer HTTP data on the connection, and then performs security detection; however, as network bandwidth increases, the processing power requirements for the WAF devices also increase. In a real network environment, a large number of repeated responses exist in HTTP site traffic protected by the WAF, which occupies a large number of CPU and memory resources of the WAF system, and increases network delay. Increasing traffic throughput requirements can only be met by continually upgrading the hardware configuration.
Disclosure of Invention
Embodiments of the present application provide a method and a system for processing HTTP request data, an electronic device, and a computer-readable storage medium, which can achieve the technical effect of improving the processing efficiency of HTTP request data.
In a first aspect, an embodiment of the present application provides a method for processing HTTP request data, including:
acquiring HTTP client request data, wherein the HTTP client request data comprises URL information;
performing security detection on the HTTP client request data to generate a security detection result;
judging whether the HTTP client request data is attacked or not according to the safety detection result;
if the HTTP client request data is attacked, blocking the HTTP client request data;
if the HTTP client request data are not attacked, inquiring URL information of the HTTP client request data according to a preset URL cache database to generate an inquiry result;
forwarding the HTTP client request data to a target server, wherein the target server responds to the HTTP client request data and generates HTTP response data;
executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; and carrying out security detection processing on the HTTP response data, and updating the URL information to the preset URL cache database.
In the implementation process, the processing method of the HTTP request data carries out security detection on the acquired HTTP request data, after the transaction processing of one HTTP request data is finished, if the HTTP request data does not detect an attack, whether the HTTP request data can be cached is judged, and if the HTTP request data can be cached, the URL information of the request data is updated to a preset URL cache database; therefore, when subsequent HTTP client request data come, after safety detection, whether URL information of the subsequent HTTP client request data is in a preset cache database or not is inquired, and if yes, response processing of the subsequent HTTP response data can be ignored; therefore, the processing method of the HTTP request data can achieve the technical effect of improving the processing efficiency of the HTTP request data; therefore, the processing method of the HTTP request data can improve the processing capacity of the WAF device for the HTTP request data.
Further, the step of performing security detection on the HTTP client request data and generating a security detection result includes:
performing protocol analysis on the HTTP client request data to generate protocol analysis data;
and detecting the protocol analysis data according to a preset safety rule to generate the safety detection result.
In the implementation process, before the HTTP client request data is further processed (for example, forwarded), the protocol analysis data is first detected according to a preset security rule, so as to determine whether the HTTP client request data is safe data.
Further, before the step of forwarding the HTTP client request data to the target server, the method further includes:
judging whether the URL information is stored in the preset URL cache database or not according to the query result;
if not, skipping to the step of forwarding the HTTP client request data to a target server;
if yes, judging whether the URL information is overdue;
if not, adding an ignoring detection mark to the HTTP client request data;
and if so, removing the URL information from the preset URL cache database.
In the implementation process, whether the HTTP client request data is repeated request data can be judged by inquiring the result and judging whether the URL information is overdue; if the HTTP client request data are repeated request data, adding an ignoring detection mark; therefore, in the next step of processing, whether to ignore the subsequent response processing of the HTTP response data can be judged according to whether the HTTP client request data includes the ignore detection flag.
Further, the executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; the steps of carrying out security detection processing on the HTTP response data and updating the URL information to the preset URL cache database include:
judging whether the HTTP client request data has the ignoring detection mark or not;
if yes, executing the step of safety detection processing for ignoring the HTTP response data;
if not, carrying out security detection on the HTTP response data and judging whether the HTTP response data is attacked or not;
if yes, jumping to the step of blocking the HTTP client request data:
and if not, executing the step of updating the URL information to the preset URL cache database.
In the implementation process, if the HTTP client request data has an ignore detection flag, the HTTP client request data is determined to be repeated request data, and subsequent response processing of HTTP response data can be directly ignored; and if the HTTP client request data do not ignore the detection marks, carrying out security detection on HTTP response data corresponding to the HTTP client request data, and forwarding the HTTP response data after ensuring the security of the HTTP response data.
Further, before the step of obtaining HTTP client request data, the HTTP client request data including URL information, the method further includes:
and establishing the preset URL cache database.
In the implementation process, a preset URL cache database is established according to historical HTTP client request data; in a specific processing process, the preset URL cache database is updated in real time.
Further, the executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; after the steps of performing security detection processing on the HTTP response data and updating the URL information to the preset URL cache database, the method further includes:
and forwarding the HTTP response data to the target client.
In a second aspect, an embodiment of the present application provides a system for processing HTTP request data, including:
the acquisition module is used for acquiring HTTP client request data, and the HTTP client request data comprises URL information;
the security detection module is used for carrying out security detection on the HTTP client request data to generate a security detection result;
the security judgment module is used for judging whether the HTTP client request data is attacked or not according to the security detection result;
the blocking module is used for blocking the HTTP client request data if the HTTP client request data is attacked;
the query module is used for querying the URL information of the HTTP client request data according to a preset URL cache database to generate a query result if the HTTP client request data is not attacked;
the forwarding module is used for forwarding the HTTP client request data to a target server, and the target server responds to the HTTP client request data and generates HTTP response data;
an execution module, configured to execute one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; and carrying out security detection processing on the HTTP response data, and updating the URL information to the preset URL cache database.
Further, the security detection module includes:
the protocol analysis unit is used for carrying out protocol analysis on the HTTP client request data to generate protocol analysis data;
and the safety detection unit is used for detecting the protocol analysis data according to a preset safety rule to generate the safety detection result.
Further, the processing system of the HTTP request data further includes:
the storage judging module is used for judging whether the URL information is stored in the preset URL cache database according to the query result;
if the URL information is not stored in the preset URL cache database, skipping to the step of forwarding the HTTP client request data to a target server;
the expiration judging module is used for judging whether the URL information is expired or not if the URL information is stored in the preset URL cache database;
if not, adding an ignoring detection mark to the HTTP client request data;
and if so, removing the URL information from the preset URL cache database.
Further, the execution module includes:
an ignore mark judging unit, configured to judge whether the HTTP client request data has the ignore detection mark;
an ignoring unit configured to execute the step of ignoring the security detection processing of the HTTP response data if the HTTP response data is received;
the response analysis data security judgment unit is used for carrying out security detection on the HTTP response data and judging whether the HTTP response data is attacked or not if the HTTP response data is not attacked;
if yes, jumping to the step of blocking the HTTP client request data:
and the updating unit is used for executing the step of updating the URL information to the preset URL cache database if the URL information is not updated to the preset URL cache database.
Further, the processing system of the HTTP request data further includes:
and the cache establishing module is used for establishing the preset URL cache database.
Further, the forwarding module is further configured to forward the HTTP response data to the target client.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the above-described techniques.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a method for processing HTTP request data according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another HTTP request data processing method according to an embodiment of the present application;
fig. 3 is a block diagram of a system for processing HTTP request data according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides a method and a system for processing HTTP request data, electronic equipment and a computer readable storage medium, which can be applied to the detection and processing process of WAF on request messages; the processing method of the HTTP request data carries out security detection on the acquired HTTP request data, after the transaction processing of one HTTP request data is finished, if the HTTP request data does not detect an attack, whether the HTTP request data can be cached is judged, and if the HTTP request data can be cached, the URL information of the request data is updated to a preset URL cache database; therefore, when subsequent HTTP client request data come, after safety detection, whether URL information of the subsequent HTTP client request data is in a preset cache database or not is inquired, and if yes, response processing of the subsequent HTTP response data can be ignored; therefore, the processing method of the HTTP request data can achieve the technical effect of improving the processing efficiency of the HTTP request data; therefore, the processing method of the HTTP request data can improve the processing capacity of the WAF device for the HTTP request data.
Illustratively, the HTTP request data provided in the embodiment of the present application refers to all data of an HTTP transaction; generally, HTTP request data usually represents a complete HTTP interaction process (request + response) with an HTTP request or transaction (transition), and includes single-sided data in both directions of HTTP request direction data (i.e., HTTP client request data) and HTTP response direction data (i.e., HTTP response data).
Referring to fig. 1, fig. 1 is a schematic flow chart of a processing method of HTTP request data according to an embodiment of the present application, where the processing method of HTTP request data includes:
s100: and acquiring HTTP client request data, wherein the HTTP client request data comprises URL information.
Exemplarily, the processing method of the HTTP client request data is applied to a WAF protection site (i.e., a WAF device), the WAF protection site performs reassembly according to a protocol, a source IP, a source port, a destination IP, and a destination port quintuple, performs protocol analysis on the application layer HTTP request data (HTTP packet) on the connection, and then performs security detection.
S200: and carrying out security detection on the HTTP client request data to generate a security detection result.
S300: and judging whether the HTTP client request data is attacked or not according to the security detection result.
S400: and if the HTTP client side requests data to be attacked, blocking the HTTP client side from requesting the data.
Illustratively, the WAF protection site performs rule detection on HTTP client request data, and blocks the HTTP client request data if detecting that the HTTP client request data is attacked; if the attack of the HTTP client request data is not detected, the HTTP client request data is safe, and the next processing can be carried out; therefore, the function of defending the WAF from the malicious attack request by the WAF protecting site is realized through S200-S400.
S500: and if the HTTP client request data are not attacked, inquiring URL information of the HTTP client request data according to a preset URL cache database to generate an inquiry result.
S600: and forwarding the HTTP client request data to the target server, and responding the HTTP client request data by the target server and generating HTTP response data.
Exemplarily, a URL cache database is preset as a URL cache established in advance, and URL information of historical HTTP request data processed before the WAF protection site is stored; if the query result is that the URL information of the HTTP request data is stored in the preset URL cache database, it indicates that the HTTP request data is repeated response data.
S700: executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of HTTP response data; and carrying out security detection processing on the HTTP response data, and updating the URL information to a preset URL cache database.
After S700, the HTTP response data is forwarded to the target client, as an example.
Exemplarily, whether HTTP response data are repeated response data or not can be judged according to the query result, if yes, the security detection processing of the HTTP response data can be ignored, a large number of repeated responses are prevented from occupying a processor and a memory resource of a WAF protection site, and network delay is effectively reduced; if not, normal response and forwarding are carried out on the HTTP response data, and the URL information of the HTTP client request data is updated to a preset URL cache database.
Optionally, before the step of updating the URL information to the preset URL cache database, it is further required to detect whether the URL information of the HTTP request data can be cached; and for the non-cacheable response, skipping the step of updating the URL information to the preset URL cache database and directly ending the processing.
In some embodiments, the HTTP request data processing method performs security detection on the acquired HTTP request data, and after a transaction of one HTTP request data is completed, if the HTTP request data does not detect an attack, determines whether the HTTP request data can be cached, and if the HTTP request data can be cached, updates URL information of the request data to a preset URL cache database; therefore, when subsequent HTTP client request data come, after safety detection, whether URL information of the subsequent HTTP client request data is in a preset cache database or not is inquired, and if yes, response processing of the subsequent HTTP response data can be ignored; therefore, the processing method of the HTTP request data can achieve the technical effect of improving the processing efficiency of the HTTP request data; therefore, the processing method of the HTTP request data can improve the processing capacity of the WAF device for the HTTP request data.
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating another HTTP request data processing method according to an embodiment of the present application.
Exemplarily, S200: the method for carrying out security detection on the HTTP client request data and generating a security detection result comprises the following steps:
s210: performing protocol analysis on the HTTP client request data to generate protocol analysis data;
s220: and detecting the protocol analysis data according to a preset safety rule to generate a safety detection result.
For example, before the HTTP client request data is further processed (e.g., forwarded), the protocol parsing data is first detected according to a preset security rule, so as to determine whether the HTTP client request data is a secure HTTP request.
Exemplarily, at S600: before the step of forwarding the HTTP client request data to the target server, the method further includes:
s511: judging whether the URL information is stored in a preset URL cache database or not according to the query result;
if not, jumping to S600;
s512: if yes, judging whether the URL information is overdue;
s513: if not, adding an ignoring detection mark to HTTP client request data;
s514: and if so, removing the URL information from the preset URL cache database.
Illustratively, whether the HTTP client request data is repeated request data can be judged by inquiring the result and judging whether the URL information is expired; if the HTTP client request data are repeated request data, adding an ignoring detection mark; therefore, in the next step of processing, whether to ignore the subsequent response processing of the HTTP response data can be judged according to whether the HTTP client request data includes the ignore detection flag.
For example, when it is determined that the URL information has expired, although the URL information may be queried in the preset URL cache database, it is determined that the HTTP client request data does not belong to the repeated request data because the preset time is exceeded.
In some embodiments, when the URL information in the HTTP client request data or the historical HTTP client request data storage is stored to the preset URL cache database, corresponding time information is recorded; therefore, whether the URL information exceeds the preset time or not can be judged through the time information, if the URL information exceeds the preset time, the URL information is overdue, and the HTTP client request data are not repeated request data.
Exemplarily, S700: executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of HTTP response data; the steps of carrying out safety detection processing on the HTTP response data and updating the URL information to a preset URL cache database comprise:
s710: judging whether the HTTP client request data has an ignoring detection mark;
s720: if yes, executing a step of safety detection processing for ignoring HTTP response data;
s730: if not, carrying out security detection on the HTTP response data and judging whether the HTTP response data is attacked or not;
if yes, jumping to S400:
s740: if not, the step of updating the URL information to a preset URL cache database is executed.
Illustratively, if the HTTP client request data has an ignore detection flag, the request data is determined to be repeated, and subsequent response processing of HTTP response data can be directly ignored; if the HTTP client request data does not ignore the detection flag, security detection (security detection processing) is performed on HTTP response data corresponding to the HTTP client request data, and the HTTP response data is forwarded after security is ensured.
Exemplarily, at S100: before the step of obtaining the HTTP client request data, the HTTP client request data including the URL information, the method further includes:
s101: and establishing a preset URL cache database.
Illustratively, the preset URL cache database is built according to historical HTTP client request data; in a specific processing process, the preset URL cache database is updated in real time.
Exemplarily, S700: executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of HTTP response data; after the steps of performing security detection processing on the HTTP response data and updating the URL information to the preset URL cache database, the method further includes:
s800: and forwarding the HTTP response data to the target client.
Exemplarily, S740: before the step of updating the URL information to the preset URL cache database, the method further includes:
s731: detecting whether the URL information can be cached;
if the cache can be realized, jumping to S740;
and if the cache is not available, jumping to S800.
In some implementation scenarios, the processing method of HTTP request data provided in the embodiments of the present application ignores processing of the same response through an HTTP cache protocol, thereby improving processing capability of the WAF device; with reference to fig. 1 and fig. 2, in the specific embodiment of the HTTP request data processing method, a cache instruction response header returned by a server is used to cache a rule detection result of a server response (HTTP response data), so that rule detection of the same response content is reduced, and processing capability of a device is improved; the specific steps are exemplified as follows:
the first step is as follows: creating a cache (namely a preset URL cache database) taking the URL as a key for the WAF protection site;
the second step is that: the process of the WAF protective site starts to carry out TCP stream reconstruction, HTTP protocol analysis and security detection on an HTTP message (HTTP request data) passing through equipment, after an HTTP transaction is processed, if the HTTP transaction does not detect attacks, whether the HTTP transaction can be cached or not is judged, and if the HTTP transaction can be cached, corresponding URL information is added into the cache created in the first step;
the third step: when subsequent HTTP request data come, after the request processing is finished, whether the corresponding URL information is in a preset URL cache database or not is inquired, and if the corresponding URL information is in the preset URL cache database, the processing of the response direction of the request is ignored.
The specific processing flow of the HTTP request data by the program is as follows:
(1) the HTTP request data is parsed and then detected according to security rules, and blocked if an attack is detected. If the attack is not detected, the HTTP request data is normal, and corresponding URL information is inquired in a preset URL cache database.
(2) And if the request is not in the preset URL cache database, the request is normally forwarded, and response data processing is carried out.
(3) If the URL information is in a preset URL cache database, the URL information is not expired and an attack response exists, the HTTP request data are blocked;
(4) if the URL information is in a preset URL cache database and is not expired, adding a detection mark for ignoring a response direction rule for the preset URL cache database;
(5) if the URL information is in a preset URL cache database and is expired, removing the URL information from the preset URL cache database, normally forwarding the HTTP request data, and performing response data processing;
(6) analyzing a response head of the HTTP request data, if the HTTP request data has a rule detection mark for ignoring the response direction, directly forwarding, otherwise, carrying out rule detection;
(7) analyzing a response body of the HTTP request data, if the HTTP request data has a rule detection mark for ignoring the response direction, directly forwarding, otherwise, carrying out rule detection;
(8) when all the responses of the HTTP request data are detected, judging the response head field of the HTTP request data, confirming whether caching can be carried out or not, and if caching is allowed, adding the URL information into a preset URL caching database.
Exemplarily, compared with the conventional method, the HTTP request data processing method provided by the embodiment of the present application caches the processing result of the detected normal HTTP response data by adding the URL cache, ignores the rule processing of the same subsequent response, and improves the processing capability of the WAF device; therefore, after a user accesses the page of the HTTP site for the first time, the response result is cached, the response of the subsequent same HTTP request is detected by the skipping rule, and the whole processing capacity of the WAF device is improved.
Referring to fig. 3, fig. 3 is a block diagram of a system for processing HTTP request data according to an embodiment of the present application, where the system for processing HTTP request data includes:
an obtaining module 100, configured to obtain HTTP client request data, where the HTTP client request data includes URL information;
the security detection module 200 is configured to perform security detection on HTTP client request data to generate a security detection result;
the security judgment module 300 is configured to judge whether there is an attack on the HTTP client request data according to a security detection result;
the blocking module 400 is configured to block the HTTP client request data if the HTTP client request data has an attack;
the query module 500 is configured to query, according to a preset URL cache database, URL information of HTTP client request data to generate a query result if the HTTP client request data is not attacked;
a forwarding module 600, configured to forward HTTP client request data to a target server, where the target server responds to the HTTP client request data and generates HTTP response data;
an executing module 700, configured to execute one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of HTTP response data; and carrying out security detection processing on the HTTP response data, and updating the URL information to a preset URL cache database.
Illustratively, the security detection module 200 includes:
the protocol analysis unit is used for carrying out protocol analysis on the HTTP client request data to generate protocol analysis data;
and the safety detection unit is used for detecting the protocol analysis data according to a preset safety rule to generate a safety detection result.
Exemplarily, the processing system of HTTP request data further includes:
the storage judging module is used for judging whether the URL information is stored in a preset URL cache database according to the query result;
if the URL information is not stored in the preset URL cache database, skipping to the step of forwarding HTTP client request data to a target server;
the expiration judging module is used for judging whether the URL information is expired or not if the URL information is stored in a preset URL cache database;
if not, adding an ignoring detection mark to HTTP client request data;
and if so, removing the URL information from the preset URL cache database.
Illustratively, the execution module 700 includes:
an ignore mark judging unit, configured to judge whether there is an ignore detection mark in the HTTP client request data;
an ignoring unit configured to execute a step of, if yes, ignoring security detection processing of HTTP response data;
the response analysis data security judgment unit is used for carrying out security detection on the HTTP response data and judging whether the HTTP response data is attacked or not if the HTTP response data is not attacked;
if yes, jumping to a step of blocking the HTTP client side to request data:
and the updating unit is used for updating the URL information to a preset URL cache database if the URL information is not updated to the preset URL cache database.
Exemplarily, the processing system of HTTP request data further includes:
and the cache establishing module is used for establishing a preset URL cache database.
Illustratively, the forwarding module is further configured to forward the HTTP response data to the target client.
It should be understood that the processing system of HTTP request data shown in fig. 3 corresponds to the method embodiments shown in fig. 1 to fig. 2, and is not described herein again to avoid repetition.
Fig. 4 shows a block diagram of an electronic device according to an embodiment of the present disclosure, where fig. 4 is a block diagram of the electronic device. The electronic device may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. In this embodiment, the communication interface 520 of the electronic device is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip having signal processing capabilities.
The Processor 510 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory 530 stores computer readable instructions, which when executed by the processor 510, enable the electronic device to perform the steps involved in the method embodiments of fig. 1-2 described above.
Optionally, the electronic device may further include a memory controller, an input output unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly, so as to implement data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is used to execute executable modules stored in the memory 530, such as software functional modules or computer programs included in the electronic device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 4 or may have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
The embodiment of the present application further provides a storage medium, where the storage medium stores instructions, and when the instructions are run on a computer, when the computer program is executed by a processor, the method in the method embodiment is implemented, and in order to avoid repetition, details are not repeated here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for processing HTTP request data is characterized by comprising the following steps:
acquiring HTTP client request data, wherein the HTTP client request data comprises URL information;
performing security detection on the HTTP client request data to generate a security detection result;
judging whether the HTTP client request data is attacked or not according to the safety detection result;
if the HTTP client request data is attacked, blocking the HTTP client request data;
if the HTTP client request data are not attacked, inquiring URL information of the HTTP client request data according to a preset URL cache database to generate an inquiry result;
forwarding the HTTP client request data to a target server, wherein the target server responds to the HTTP client request data and generates HTTP response data;
executing one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; and carrying out security detection processing on the HTTP response data, and updating the URL information to the preset URL cache database.
2. The method for processing HTTP request data according to claim 1, wherein the step of performing security detection on the HTTP client request data to generate a security detection result includes:
performing protocol analysis on the HTTP client request data to generate protocol analysis data;
and detecting the protocol analysis data according to a preset safety rule to generate the safety detection result.
3. The method for processing HTTP request data as recited in claim 1, further comprising, before the step of forwarding the HTTP client request data to a target server:
judging whether the URL information is stored in the preset URL cache database or not according to the query result;
if not, skipping to the step of forwarding the HTTP client request data to a target server;
if yes, judging whether the URL information is overdue;
if not, adding an ignoring detection mark to the HTTP client request data;
and if so, removing the URL information from the preset URL cache database.
4. The method for processing HTTP request data according to claim 3, wherein one of the following processes is performed on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; the steps of carrying out security detection processing on the HTTP response data and updating the URL information to the preset URL cache database include:
judging whether the HTTP client request data has the ignoring detection mark or not;
if yes, executing the step of safety detection processing for ignoring the HTTP response data;
if not, carrying out security detection on the HTTP response data and judging whether the HTTP response data is attacked or not;
if yes, jumping to the step of blocking the HTTP client request data:
and if not, executing the step of updating the URL information to the preset URL cache database.
5. The method for processing HTTP request data according to claim 1, further comprising, before the step of obtaining HTTP client request data including the URL information:
and establishing the preset URL cache database.
6. The method for processing HTTP request data according to claim 1, wherein one of the following processes is performed on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; after the steps of performing security detection processing on the HTTP response data and updating the URL information to the preset URL cache database, the method further includes:
and forwarding the HTTP response data to the target client.
7. A system for processing HTTP request data, comprising:
the acquisition module is used for acquiring HTTP client request data, and the HTTP client request data comprises URL information;
the security detection module is used for carrying out security detection on the HTTP client request data to generate a security detection result;
the security judgment module is used for judging whether the HTTP client request data is attacked or not according to the security detection result;
the blocking module is used for blocking the HTTP client request data if the HTTP client request data is attacked;
the query module is used for querying the URL information of the HTTP client request data according to a preset URL cache database to generate a query result if the HTTP client request data is not attacked;
the forwarding module is used for forwarding the HTTP client request data to a target server, and the target server responds to the HTTP client request data and generates HTTP response data;
an execution module, configured to execute one of the following processes on the HTTP response data according to the query result: ignoring security detection processing of the HTTP response data; and carrying out security detection processing on the HTTP response data, and updating the URL information to the preset URL cache database.
8. The system for processing HTTP request data as recited in claim 7, wherein the security detection module comprises:
the protocol analysis unit is used for carrying out protocol analysis on the HTTP client request data to generate protocol analysis data;
and the safety detection unit is used for detecting the protocol analysis data according to a preset safety rule to generate the safety detection result.
9. An electronic device, comprising: memory, processor and computer program stored in the memory and executable on the processor, the processor implementing the steps of the method of processing HTTP request data according to any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium having stored thereon instructions which, when run on a computer, cause the computer to execute the method of processing HTTP request data according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111651266.9A CN114285835B (en) | 2021-12-30 | 2021-12-30 | HTTP request data processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111651266.9A CN114285835B (en) | 2021-12-30 | 2021-12-30 | HTTP request data processing method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114285835A true CN114285835A (en) | 2022-04-05 |
| CN114285835B CN114285835B (en) | 2024-04-19 |
Family
ID=80878816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111651266.9A Active CN114285835B (en) | 2021-12-30 | 2021-12-30 | HTTP request data processing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285835B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115941363A (en) * | 2023-03-08 | 2023-04-07 | 广东广宇科技发展有限公司 | Network communication security analysis method based on http protocol |
| CN116055187A (en) * | 2023-01-28 | 2023-05-02 | 北京亿赛通科技发展有限责任公司 | Gateway rapid dynamic detection method, device, gateway equipment and storage medium |
| CN116521745A (en) * | 2023-07-04 | 2023-08-01 | 北京长亭科技有限公司 | Caching method and device |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160065576A1 (en) * | 2014-09-02 | 2016-03-03 | Akamai Technologies, Inc. | System and methods for leveraging an object cache to monitor network traffic |
| CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
| CN108111548A (en) * | 2018-03-08 | 2018-06-01 | 华东师范大学 | A kind of domain name system attack detection method, apparatus and system |
| CN108549814A (en) * | 2018-03-24 | 2018-09-18 | 西安电子科技大学 | A kind of SQL injection detection method based on machine learning, database security system |
| US10505985B1 (en) * | 2016-04-13 | 2019-12-10 | Palo Alto Networks, Inc. | Hostname validation and policy evasion prevention |
| CN111988280A (en) * | 2020-07-24 | 2020-11-24 | 网宿科技股份有限公司 | Server and request processing method |
| CN112153001A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, system, electronic device and storage medium |
| CN112202717A (en) * | 2020-09-02 | 2021-01-08 | 深信服科技股份有限公司 | HTTP request processing method, device, server and storage medium |
| CN112491883A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Method, device, electronic device and storage medium for detecting web attack |
| US20210306373A1 (en) * | 2020-03-31 | 2021-09-30 | Fortinet, Inc. | Hardware acceleration device for denial-of-service attack identification and mitigation |
| CN113542292A (en) * | 2021-07-21 | 2021-10-22 | 江南信安(北京)科技有限公司 | Intranet safety protection method and system based on DNS and IP credit data |
-
2021
- 2021-12-30 CN CN202111651266.9A patent/CN114285835B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160065576A1 (en) * | 2014-09-02 | 2016-03-03 | Akamai Technologies, Inc. | System and methods for leveraging an object cache to monitor network traffic |
| US10505985B1 (en) * | 2016-04-13 | 2019-12-10 | Palo Alto Networks, Inc. | Hostname validation and policy evasion prevention |
| CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
| CN108111548A (en) * | 2018-03-08 | 2018-06-01 | 华东师范大学 | A kind of domain name system attack detection method, apparatus and system |
| CN108549814A (en) * | 2018-03-24 | 2018-09-18 | 西安电子科技大学 | A kind of SQL injection detection method based on machine learning, database security system |
| US20210306373A1 (en) * | 2020-03-31 | 2021-09-30 | Fortinet, Inc. | Hardware acceleration device for denial-of-service attack identification and mitigation |
| CN111988280A (en) * | 2020-07-24 | 2020-11-24 | 网宿科技股份有限公司 | Server and request processing method |
| CN112153001A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, system, electronic device and storage medium |
| CN112202717A (en) * | 2020-09-02 | 2021-01-08 | 深信服科技股份有限公司 | HTTP request processing method, device, server and storage medium |
| CN112491883A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Method, device, electronic device and storage medium for detecting web attack |
| CN113542292A (en) * | 2021-07-21 | 2021-10-22 | 江南信安(北京)科技有限公司 | Intranet safety protection method and system based on DNS and IP credit data |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116055187A (en) * | 2023-01-28 | 2023-05-02 | 北京亿赛通科技发展有限责任公司 | Gateway rapid dynamic detection method, device, gateway equipment and storage medium |
| CN116055187B (en) * | 2023-01-28 | 2023-06-16 | 北京亿赛通科技发展有限责任公司 | Gateway rapid dynamic detection method, device, gateway equipment and storage medium |
| CN115941363A (en) * | 2023-03-08 | 2023-04-07 | 广东广宇科技发展有限公司 | Network communication security analysis method based on http protocol |
| CN115941363B (en) * | 2023-03-08 | 2023-08-01 | 广东广宇科技发展有限公司 | Network communication security analysis method based on http protocol |
| CN116521745A (en) * | 2023-07-04 | 2023-08-01 | 北京长亭科技有限公司 | Caching method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114285835B (en) | 2024-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114285835A (en) | HTTP request data processing method and system | |
| Rathore et al. | Real time intrusion detection system for ultra-high-speed big data environments | |
| EP3635934B1 (en) | Privacy as a service by offloading user identification and network protection to a third party | |
| US11218448B2 (en) | Aggregating alerts of malicious events for computer security | |
| US20200322362A1 (en) | Deep-learning-based intrusion detection method, system and computer program for web applications | |
| US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
| JP6397932B2 (en) | A system for identifying machines infected with malware that applies language analysis to network requests from endpoints | |
| CN107465648B (en) | Abnormal equipment identification method and device | |
| US8191137B2 (en) | System and method for identification and blocking of malicious use of servers | |
| US20070006305A1 (en) | Preventing phishing attacks | |
| US20100049848A1 (en) | Distributed frequency data collection via indicator embedded with dns request | |
| CN112019516B (en) | Access control method, device, equipment and storage medium for shared file | |
| US20190317968A1 (en) | Method, system and computer program products for recognising, validating and correlating entities in a communications darknet | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| CN110636068A (en) | Method and device for identifying unknown CDN node in CC attack protection | |
| CN110830487A (en) | Abnormal state identification method and device for terminal of Internet of things and electronic equipment | |
| KR101917996B1 (en) | Method and Apparatus for Detecting Malicious Script | |
| CN112671736B (en) | Attack flow determination method, device, equipment and storage medium | |
| CN116938600B (en) | Threat event analysis method, electronic device and storage medium | |
| CN114095264A (en) | High-interaction traceability method, equipment and hardware of honeypot system | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| JP2005316779A (en) | Unauthorized access detector, detection rule generation device, detection rule generation method, and detection rule generation program | |
| CN115913679A (en) | Access control method and system based on zero-trust gateway | |
| Panda et al. | Privacy impact assessment of cyber attacks on connected and autonomous vehicles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |